Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Crack iOS Mobile Hotspot Passwords In Less Than a Minute

Posted by Soulskill on from the algorithm-to-guess-your-cat's-name dept.

msm1267 writes "Business travelers who tether their iPhones as mobile hotspots beware. Researchers at the University of Erlanger-Nuremberg in Germany have discovered a weakness in the way iOS generates default passwords for such connections that can leave a user's device vulnerable to man-in-the-middle attacks, information leakage or abuse of the user's Internet connection. Andreas Kurtz, Felix Freiling and Daniel Metz published a paper (PDF) that describes the inner workings of how an attacker can exploit the PSK (pre-shared key) authentication iOS uses to establish a secure WPA2 connection when using the Apple smartphone as a hotspot. The researchers said that attackers would find the least resistance attacking the PSK setup rather than trying their hand at beating the operating system's complex programming layers."

15 of 49 comments (clear)

  1. Argh! by girlintraining · · Score: 4, Insightful

    the operating system proposes four-to-six-character passwords generated from a default list of 1,842 words and then tags on a random four-digit number.

    *facepalm* Dinopass does a better job of picking good passwords than Apple, and it's designed for children. For the largest company on the planet, this is really, painfully, sad. In other news, this isn't a weakness in the crypto per-se -- it's making a suggestion. The user still has the option of picking something more secure.. so it's not entirely Apple's fault if your hotspot gets p0wned.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Argh! by 54mc · · Score: 2

      For reference, that means there's 18,420,000 combinations.

      --
      Joy! Beautiful spark of the gods!
    2. Re:Argh! by cbhacking · · Score: 2

      Or (in the terms that people in this area usually think in) just over 24 bits of entropy. (~24.135)

      That is absurdly low for an auto-generated single-use password.

      --
      There's no place I could be, since I've found Serenity...
    3. Re:Argh! by retchdog · · Score: 4, Informative

      The researchers say that the words are not picked uniformly at random, so it's actually fewer bits than that.

      It's not hard to see why apple makes it this way: it's so that it's easy for you to share the password with people, and so that it's uniformly easy to type in on smartphones and tablets which reliably have only alphanumerics (and minimal punctuation) on the default keyboard.

      Most people don't care about this stuff, and if you do you can change it. Apple understands that ease-of-use is king. That's why they make money.

      --
      "They were pure niggers." – Noam Chomsky
    4. Re:Argh! by Anubis+IV · · Score: 2

      Not to defend it too much, since I agree that this is rather silly of Apple to have done, but we do need to remember that these hotspots are transient, and that for them to be attacked, an attacker would have to both know the location of one and when it will be there. That said, if someone were in a routine that an attacker was aware of, it would be fairly trivial to use this attack against them, and even if they generated a new password, they'd still face the issue again.

  2. Re:less than a minute? by Russ1642 · · Score: 2, Informative

    Rainbow tables are useless against properly salted passwords. Anyone not using a salt in this day and age is begging to be hacked.

  3. Internet Abuse by Major+Ralph · · Score: 3, Funny

    abuse of the user's Internet connection

    I abuse my internet on a daily basis.

    --
    I must not fear. Fear is the mind-killer.
  4. Re:less than a minute? by CastrTroy · · Score: 3, Insightful

    And rainbow tables are also only good if the attacker has access to your password file. If untrusted people have access to your password file, you already have some problems. The only case where the attacker should have access to the password file would be if they had physical access to the machine, in which case you'd better trust them to some degree anyway. However, what frequently ends up happening, is that remote systems are hacked into and password files are downloaded, and analyzed using a rainbow table. Sure the salting of passwords would have helped a little in this situation, but the glaring problem is that they hacker should have never been able to obtain the password file in the first place.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  5. Fixed in iOS 7 by eecue · · Score: 2, Informative

    FWIW, this has been fixed in iOS 7, it is now totally random.

    --
    -- sigs suck --
    1. Re:Fixed in iOS 7 by adolf · · Score: 2

      Nothing is totally random.

      --
      Kid-proof tablet..
  6. Re:Simple. by Aaden42 · · Score: 3, Informative

    Indeed this is not true. I use mobile hotspot on iOS6 (iPhone 4S). Default password was pathetic, but easily changed.

  7. Re:Really? by Anonymous Coward · · Score: 3, Insightful

    So, someone else might be able to jump onto your phone data when you are tethering... however to do so they need to lug around a big computer tower with a bunch of GPUs plugged in, and only if you use the default password.

    This is very much a non-story. Most people using tethering will have it enabled when they need it then turn it off (otherwise major battery drain), so they might be able to use your internet for a little bit but then they'll be left with nothing. And it's really really easy to change the default password, on the screen to enable mobile hotspot on your phone the password is displayed, tapping on it gives you the keyboard to change it. This was the way it worked from the beginning of IOS tethering.

    With changing the password being so easy, how many people who use tethering would leave it at the default? Most people I know would change it just to make it more personal and memorable.

    The tower-full of GPUs doesn't have to be on-site. One can always transfer the captured handshake to a remote system for cracking. Of course, this renders the goal of getting a little free wireless broadband pointless (as it supposes an attacker already has some kind of network access).

  8. Re:Really? by Wookact · · Score: 2

    So, someone else might be able to jump onto your phone data when you are tethering... however to do so they need to lug around a big computer tower with a bunch of GPUs plugged in, and only if you use the default password.

    I read the article, It said nothing about lugging around a computer filled with GPU. I would be willing to bet my laptop could handle that.

    “The app also gives explanations and hints on how to crack a captured WPA handshake using well-known password crackers,” the paper said. “Future releases might also automate the process of capturing and cracking hotspot passwords. As computing power on smart devices is limited, one solution is to involve online password cracking services like CloudCracker, to crack hotspot passwords on-the-fly.”

    In fact it sounds as if it may even be feasible without the laptop.

  9. Ancient Hoax by Cajun+Hell · · Score: 3, Funny

    ..in iOS 6 for example, the operating system proposes four-to-six-character passwords generated from a default list of 1,842 words and then tags on a random four-digit number.

    I think I can explain what happened.

    First of all, this story is a dupe. It originally ran on April 1st, 1990. At the time, the story was about "System 6" but some recent tech media editor thought that meant "iOS 6" (I'll explain how the mistake happened, below). That explains the pre-mass-mainstream approach to passwords.

    Secondly, even the 1990 story was a hoax. By the standards of the day, that was still such a stupid way to generate passwords, that no one would do it.

    Third, the story was written by a guy who turned out to be working at Microsoft. The whole point of the hoax was to make the Newton tablet look stupid, a mis-engineered travesty designed by utterly clueless morons. The 2013 tech media editor saw "Newton" and knew that couldn't be right, which is how it became iOS. Newtons didn't really run System 6, but the original Microsoft author didn't know that.

    In short, this is about stupidity that is so stupid, that people didn't do things that stupidly, even back when your mother hadn't heard of the Internet yet.

    Just kidding. It's a modern story, but I just wanted to point out that even the most absurd bend-over-backward-to-rationalize-things explanation for behavior this stupid, still isn't very convincing. No field can distort reality to the required degree.

    --
    "Believe me!" -- Donald Trump
  10. Brief Comparison to other Platforms by Plumpaquatsch · · Score: 3, Interesting

    Other mobile platforms might be affected by these deficits as well. Although, we did not analyze other platforms in detail, spot-checks have revealed that default passwords in Windows Phone 8 consist of only 8-digit numbers. As this results in a search space of 108 candidates, attacks on Windows-based hotspot passwords might be practicable. Moreover, while the official version of Android generates strong passwords2, some vendors modified the Wi-Fi related components utilized in their devices and weakened the algorithm of generating default passwords. For instance, some Android-based models of the smart- phone and tablet manufacturer HTC are even shipped with constant default passwords consisting of a static string (1234567890) [26]. However, future studies will be necessary to evaluate the security level of mobile hotspots on other platforms in more detail.

    --
    Of course news about a fake are Fake News.